继续没工作……
在csdn论坛上有人推销自己的程序:CHMFactory ,说句实话真的不怎么样……还是QUICKCHM好!
差归差但是要注册,脱壳后反汇编看一下:很简单……直接爆破,注册成功。重起程序后却恢复成老样子,看来作者有所防范。只好看老老实实汇编代码
用OLLDBG打开程序,下段点bp GetDlgItemTextA ,一阵ALT+F9,看见一个CALL 竟然带这两个参数,一个是序列号,另个是我输入的错误注册码……哭,竟然作者这样写……
code:
;两个参数:生成的序列号,用户输入的注册号
* Referenced by a CALL at Addresses:
|:0040CD63 , :0040D390
|
:00426370 81EC08080000 sub esp, 00000808
:00426376 B900020000 mov ecx, 00000200
:0042637B 33C0 xor eax, eax
:0042637D 8D542408 lea edx, dword ptr [esp+08]
:00426381 53 push ebx
:00426382 56 push esi
:00426383 57 push edi
:00426384 8D7C2414 lea edi, dword ptr [esp+14]
:00426388 F3 repz
:00426389 AB stosd
:0042638A 8BBC2418080000 mov edi, dword ptr [esp+00000818]
:00426391 83C9FF or ecx, FFFFFFFF
:00426394 F2 repnz
:00426395 AE scasb
:00426396 F7D1 not ecx
:00426398 2BF9 sub edi, ecx
:0042639A 6A3F push 0000003F
:0042639C 8BC1 mov eax, ecx
:0042639E 8BF7 mov esi, edi
:004263A0 8BFA mov edi, edx
:004263A2 C1E902 shr ecx, 02
:004263A5 F3 repz
:004263A6 A5 movsd
:004263A7 8BC8 mov ecx, eax
:004263A9 83E103 and ecx, 00000003
:004263AC F3 repz
:004263AD A4 movsb
* Reference To: MFC42.RectVisible, Ord:0337h
|
:004263AE E87F8EFFFF Call 0041F232
:004263B3 8BD8 mov ebx, eax
:004263B5 83C404 add esp, 00000004
:004263B8 85DB test ebx, ebx
:004263BA 0F84DA000000 je 0042649A
:004263C0 33C0 xor eax, eax
;生成表:"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263CE(C)
|
:004263C2 8AC8 mov cl, al
:004263C4 80C130 add cl, 30
:004263C7 880C03 mov byte ptr [ebx+eax], cl
:004263CA 40 inc eax
:004263CB 83F80A cmp eax, 0000000A
:004263CE 7CF2 jl 004263C2
:004263D0 B80A000000 mov eax, 0000000A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263E1(C)
|
:004263D5 8AD0 mov dl, al
:004263D7 80C237 add dl, 37
:004263DA 881403 mov byte ptr [ebx+eax], dl
:004263DD 40 inc eax
:004263DE 83F824 cmp eax, 00000024
:004263E1 7CF2 jl 004263D5
:004263E3 B824000000 mov eax, 00000024
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263F4(C)
|
:004263E8 8AC8 mov cl, al
:004263EA 80C13D add cl, 3D
:004263ED 880C03 mov byte ptr [ebx+eax], cl
:004263F0 40 inc eax
:004263F1 83F83E cmp eax, 0000003E
:004263F4 7CF2 jl 004263E8
:004263F6 C6040300 mov byte ptr [ebx+eax], 00
:004263FA 8D7C2414 lea edi, dword ptr [esp+14]
:004263FE 83C9FF or ecx, FFFFFFFF
:00426401 33C0 xor eax, eax
:00426403 F2 repnz
:00426404 AE scasb
:00426405 F7D1 not ecx
:00426407 55 push ebp
:00426408 49 dec ecx
:00426409 33ED xor ebp, ebp
:0042640B 85C9 test ecx, ecx
:0042640D 7E2E jle 0042643D
* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:0005, ""
|
:0042640F BE05000000 mov esi, 00000005 ;esi=5,乱用……
:00426414 8D442418 lea eax, dword ptr [esp+18]
:00426418 2BC6 sub eax, esi
:0042641A 89442410 mov dword ptr [esp+10], eax
:0042641E EB04 jmp 00426424
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042643B(C)
|
:00426420 8B442410 mov eax, dword ptr [esp+10]
;重点开始了!!!
;获得EBP
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042641E(U)
|
:00426424 0FBE0430 movsx eax, byte ptr [eax+esi] ;第一个字符
:00426428 0FAFC6 imul eax, esi ;*5
:0042642B 99 cdq ;edx:eax <-- eax
:0042642C BF3E000000 mov edi, 0000003E
:00426431 F7FF idiv edi ;eax mod 3e
:00426433 03EA add ebp, edx ;ebp = ebp(初始为0) + edx
:00426435 46 inc esi
:00426436 8D56FB lea edx, dword ptr [esi-05] ;下个字符
:00426439 3BD1 cmp edx, ecx
:0042643B 7CE3 jl 00426420
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042640D(C)
|
:0042643D 33C0 xor eax, eax
:0042643F 85C9 test ecx, ecx
:00426441 7E42 jle 00426485
* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:0005, ""
|
:00426443 BE05000000 mov esi, 00000005
:00426448 8D7C2418 lea edi, dword ptr [esp+18]
:0042644C 2BFE sub edi, esi
:0042644E 894C2410 mov dword ptr [esp+10], ecx
:00426452 894C2414 mov dword ptr [esp+14], ecx
;注册玛生成
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042647F(C)
|
:00426456 0FBE043E movsx eax, byte ptr [esi+edi] ;真的很象……
:0042645A 0FAFC6 imul eax, esi
:0042645D 03C5 add eax, ebp ;加上刚才计算出的EBP
:0042645F B93E000000 mov ecx, 0000003E
:00426464 99 cdq
:00426465 F7F9 idiv ecx
:00426467 8B842420080000 mov eax, dword ptr [esp+00000820]
:0042646E 46 inc esi
:0042646F 8A141A mov dl, byte ptr [edx+ebx] ;查表,注册码第一个字符出现了
:00426472 885430FA mov byte ptr [eax+esi-06], dl ;DL 里是真正注册码字符。
:00426476 8B442410 mov eax, dword ptr [esp+10]
:0042647A 48 dec eax
:0042647B 89442410 mov dword ptr [esp+10], eax
:0042647F 75D5 jne 00426456
:00426481 8B442414 mov eax, dword ptr [esp+14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00426441(C)
|
:00426485 8B8C2420080000 mov ecx, dword ptr [esp+00000820]
:0042648C 53 push ebx
:0042648D C6040800 mov byte ptr [eax+ecx], 00
* Reference To: MFC42.RectVisible, Ord:0339h
|
:00426491 E8D68CFFFF Call 0041F16C
:00426496 83C404 add esp, 00000004
:00426499 5D pop ebp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263BA(C)
|
:0042649A 5F pop edi
:0042649B 5E pop esi
:0042649C 5B pop ebx
:0042649D 81C408080000 add esp, 00000808
:004264A3 C20800 ret 0008
最后在堆栈里写着明码注册号,早知道不看算法了(玩笑)。
简单的程序就会有简单的算法:
#include <stdio.h>
int fun(char *myser,*my pass)
{
char *key = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
char *val
int i,basenum;
for (i=0;i< lstrlen(myser) ;i++ )
{
basenum = basenum + (*(myser + i) * (i + 5)) % 3;
}
for (i=0;i< lstrlen(myser) ;i++ )
{
*(val+i) = *(key + (*(myser + i) * (i + 5) + basenum) % 3
}
return *val;
}
这个注册程序是不能编译出来的(因为错误太多,呵呵,故意的)。大家都要混口饭吃,我现在正在深切得体会混不倒饭吃得艰苦……